Cara installasi Openvpn Server dan Client for Linux
Cara Penginstallan OpenVPN
Untuk Server
# cd /usr/local/src
#wget http://www.oberhumer.com/opersource/lzo/download/lzo-2.02.tar.gz
atau bisa langsung mengunjungi website tersebut dan mendownload lzo-2.02.tar.gz dan dimasukkan ke folder /usr/local/src
untuk yang belum ada gcc atau gcc-c++
harap menginstallnya dengan
# yum install gcc
# yum install gcc-c++
kemudian install lzo dengan cara
# tar zxvf lzo-2.02.tar.gz
# cd lzo-2.02
# cd ./configure
# make
# make check
# make test
# make install
kemudian install Openvpn dengan cara
# cd /usr//local/src
# wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
atau bisa langsung mengunjungi website tersebut dan mendownload openvpn-2.0.9.tar.gz dan dimasukkan ke folder /usr/local/src
# tar zxvf openvpn-2.0.9.tar.gz
# cd openvpn-2.0.9
# ./configure biasaanya ada eror dsini... ikuti perintah ini : #apt-get install libssl-dev
# make
# make install
kemudian lakukan perintah
#
# cp -R -v -f /usr/local/src/openvpn-2.0.9/easy-rsa /etc/openvpn
# cd /etc/openvpn/easy-rsa/
# mkdir /etc/openvpn/easy-rsa/keys
# vi vars
isinya
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export D=`pwd`
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$D/keys
# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="ID"
export KEY_PROVINCE="JKT"
export KEY_CITY="Jakarta"
export KEY_ORG="BPPT"
export KEY_EMAIL="vpnbppt@webmail.bppt.go.id"
# . ./vars
# ./clean-all
# ./build-dh
# ./build-ca
isi dengan
[root@localhost 2.0]#./build-ca
Generating a 1024 bit RSA p rivate key
........++++++
...............................................++++++++
writing new private key to ‘ca.key’
------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’ ,the field will be left blank
-----
Counntry Name (2 letter code) [ID]:
State or Province Name (full name) [JKT]:
Locality Name (eg, city) [Jakarta]:
Organization Name (eg, company) [BPPT]:
Organization Unit Name (eg, section) []:BPPT
Common Name (eg, your name or your server’s hostname) [BPPT CA]:
Email Address [vpnbppt@webmail.bppt.go.id]:
* kosong disebelah ':' berarti langsung enter saja
# ./build-key-server server
kemudian isi isian tersebut dengan
Generating a 1024 bit RSA p rivate key
........++++++
...............................................++++++++
writing new private key to ‘server.key’
------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’ ,the field will be left blank
-----
Counntry Name (2 letter code) [ID]:
State or Province Name (full name) [JKT]:
Locality Name (eg, city) [Jakarta]:
Organization Name (eg, company) [BPPT]:
Organization Unit Name (eg, section) []:BPPT
Common Name (eg, your name or your server’s hostname) [server]:
Email Address [vpnbppt@webmail.bppt.go.id]:
Please enter the following ‘extra’ attributes
To be sent with your certificate request
A challenge password []: vpnbppt
An optional company name [ ]:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signatures
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’ID’
stateOrProvinceName :PRINTABLE:’JKT’
localityname :PRINTABLE:’Jakarta’
organizationName :PRINTABLE:’BPPT’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’ vpnbppt@webmail.bppt.go.id’
Certificate is to be certified until May 4 03:43:19 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate request certificate requests certified, commit?[y/n]y
Write out database with 1 new entries
DataBase Update
* kosong disebelah ':' berarti langsung enter saja
kemudian buat key untuk client sebanyak client yang mau dibuat
dengan cara dibawah dan isi kolom yangtersedia sesuai petunjuk
[root@localhost 2.0]#./build-key client1
Generating a 1024 bit RSA p rivate key
........++++++
........++++++
writing new private key to ‘client1.key’
------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’ ,the field will be left blank
-----
Counntry Name (2 letter code) [ID]:
State or Province Name (full name) [JKT]:
Locality Name (eg, city) [Jakarta]:
Organization Name (eg, company) [BPPT]:
Organization Unit Name (eg, section) []:BPPT
Common Name (eg, your name or your server’s hostname) [client1]:
Email Address [vpnbppt@webmail.bppt.go.id]:
Please enter the following ‘extra’ attributes
To be sent with your certificate request
A challenge password []: vpnbppt
An optional company name [ ]:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signatures
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’ID’
stateOrProvinceName :PRINTABLE:’JKT’
localityname :PRINTABLE:’Jakarta’
organizationName :PRINTABLE:’BPPT’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’ vpnbppt@webmail.bppt.go.id’
Certificate is to be certified until May 4 03:43:19 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate request certificate requests certified, commit?[y/n]y
Write out database with 1 new entries
DataBase Update
* kosong disebelah ':' berarti langsung enter saja
kemudian jalankan
# ./build-dh
# cp keys/dh1024.pem /etc/openvpn
# cp keys/ca.crt /etc/openvpn
# cp keys/server.crt /etc/openvpn
# cp keys/server.key /etc/openvpn
# cp keys/server.csr /etc/openvpn
# cd /etc/openvpn
dan lakukan
# vi server.conf
note : pastikan telah menjadi IP static
untuk Ubuntu lakukan perintah
# vi /etc/network/interfaces
ganti eth0 menjadi
auto eth0
iface eth0 inet static
address 202.46.240.235
gateway 202.46.240.193
netmask 255.255.255.192
network 202.46.240.192
broadcast 202.46.240.255
kemudian lakukan
# sudo /etc/init.d/networking restart
dengan isian
local 202.46.240.xxx (ipstatic dari server)
port 1194
proto tcp
dev tun
ca /etc/openvpn/ca.crt (alamat file ca.crt)
cert /etc/openvpn/server.crt (alamat file server.crt)
key /etc/openvpn/server.key (alamat file server.key)
dh /etc/openvpn/dh1024.pem (alamat file dh1024.pem)
client-to-client
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
cipher BF-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
server siap dijalankan dengan perintah
# service openvpn start
# openvpn --config /etc/openvpn/server.conf
untuk mengecek, lakukan perintah
# ifconfig
jika sudah terdapat tunnel maka tugas telah selesai
Untuk client
# cd /usr/local/src
#wget http://www.oberhumer.com/opersource/lzo/download/lzo-2.02.tar.gz
atau bisa langsung mengunjungi website tersebut dan mendownload lzo-2.02.tar.gz dan dimasukkan ke folder /usr/local/src
untuk yang belum ada gcc atau gcc-c++
harap menginstallnya dengan
# apt-get install gcc
# apt-get install gcc-c++
kemudian install lzo dengan cara
# tar zxvf lzo-2.02.tar.gz
# cd lzo-2.02
# cd ./configure
# make
# make check
# make test
# make install
kemudian install Openvpn dengan cara
# cd /usr//local/src
# wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
atau bisa langsung mengunjungi website tersebut dan mendownload openvpn-2.0.9.tar.gz dan dimasukkan ke folder /usr/local/src
# tar zxvf openvpn-2.0.9.tar.gz
# cd openvpn-2.0.9
# ./configure
biasaanya ada eror dsini... ikuti perintah ini : #apt-get install libssl-dev
# make
# make install
kemudian copy file ca.crt, client*.crt, client*.csr, client*.key dari komputer server dan masukkan ke folder /etc/openvpn
* berarti nomor client tersebut, dan harus sama untuk csr, crt dan key
kemudian lakukan
# vi /etc/openvpn/client.conf
isinya adalah
client
proto tcp
dev tun
remote 202.46.240.xxx (ip static dari server)
resolv-retry infinite
nobind
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client*.crt
key /etc/openvpn/client*.key
comp-lzo
cipher BF-CBC
persist-key
persist-tun
verb 3
* nomor file yang dimasukkan ke folder /etc/openvpn/
kemudian jalankan
# service openvpn start
# openvpn --config /etc/openvpn/client.conf
setelah itu cek dengan
# ifconfig
jika telah ada tunnel maka tugas selesai, dan dapat saling berkirim data.
Catatan,
ketika melakukan perintah # openvpn --config /etc/openvpn/client.conf pastikan tanggal dan waktu antara server dan client sama, jika tidak, maka tidak dapat dilakukan tunneling.
Note : apabila known_hosts bermasalah lakukan
# ssh-keygen -R hostname (hostname yang bermasalah)
Untuk Server
# cd /usr/local/src
#wget http://www.oberhumer.com/opersource/lzo/download/lzo-2.02.tar.gz
atau bisa langsung mengunjungi website tersebut dan mendownload lzo-2.02.tar.gz dan dimasukkan ke folder /usr/local/src
untuk yang belum ada gcc atau gcc-c++
harap menginstallnya dengan
# yum install gcc
# yum install gcc-c++
kemudian install lzo dengan cara
# tar zxvf lzo-2.02.tar.gz
# cd lzo-2.02
# cd ./configure
# make
# make check
# make test
# make install
kemudian install Openvpn dengan cara
# cd /usr//local/src
# wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
atau bisa langsung mengunjungi website tersebut dan mendownload openvpn-2.0.9.tar.gz dan dimasukkan ke folder /usr/local/src
# tar zxvf openvpn-2.0.9.tar.gz
# cd openvpn-2.0.9
# ./configure biasaanya ada eror dsini... ikuti perintah ini : #apt-get install libssl-dev
# make
# make install
kemudian lakukan perintah
#
# cp -R -v -f /usr/local/src/openvpn-2.0.9/easy-rsa /etc/openvpn
# cd /etc/openvpn/easy-rsa/
# mkdir /etc/openvpn/easy-rsa/keys
# vi vars
isinya
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export D=`pwd`
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$D/keys
# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="ID"
export KEY_PROVINCE="JKT"
export KEY_CITY="Jakarta"
export KEY_ORG="BPPT"
export KEY_EMAIL="vpnbppt@webmail.bppt.go.id"
# . ./vars
# ./clean-all
# ./build-dh
# ./build-ca
isi dengan
[root@localhost 2.0]#./build-ca
Generating a 1024 bit RSA p rivate key
........++++++
...............................................++++++++
writing new private key to ‘ca.key’
------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’ ,the field will be left blank
-----
Counntry Name (2 letter code) [ID]:
State or Province Name (full name) [JKT]:
Locality Name (eg, city) [Jakarta]:
Organization Name (eg, company) [BPPT]:
Organization Unit Name (eg, section) []:BPPT
Common Name (eg, your name or your server’s hostname) [BPPT CA]:
Email Address [vpnbppt@webmail.bppt.go.id]:
* kosong disebelah ':' berarti langsung enter saja
# ./build-key-server server
kemudian isi isian tersebut dengan
Generating a 1024 bit RSA p rivate key
........++++++
...............................................++++++++
writing new private key to ‘server.key’
------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’ ,the field will be left blank
-----
Counntry Name (2 letter code) [ID]:
State or Province Name (full name) [JKT]:
Locality Name (eg, city) [Jakarta]:
Organization Name (eg, company) [BPPT]:
Organization Unit Name (eg, section) []:BPPT
Common Name (eg, your name or your server’s hostname) [server]:
Email Address [vpnbppt@webmail.bppt.go.id]:
Please enter the following ‘extra’ attributes
To be sent with your certificate request
A challenge password []: vpnbppt
An optional company name [ ]:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signatures
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’ID’
stateOrProvinceName :PRINTABLE:’JKT’
localityname :PRINTABLE:’Jakarta’
organizationName :PRINTABLE:’BPPT’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’ vpnbppt@webmail.bppt.go.id’
Certificate is to be certified until May 4 03:43:19 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate request certificate requests certified, commit?[y/n]y
Write out database with 1 new entries
DataBase Update
* kosong disebelah ':' berarti langsung enter saja
kemudian buat key untuk client sebanyak client yang mau dibuat
dengan cara dibawah dan isi kolom yangtersedia sesuai petunjuk
[root@localhost 2.0]#./build-key client1
Generating a 1024 bit RSA p rivate key
........++++++
........++++++
writing new private key to ‘client1.key’
------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’ ,the field will be left blank
-----
Counntry Name (2 letter code) [ID]:
State or Province Name (full name) [JKT]:
Locality Name (eg, city) [Jakarta]:
Organization Name (eg, company) [BPPT]:
Organization Unit Name (eg, section) []:BPPT
Common Name (eg, your name or your server’s hostname) [client1]:
Email Address [vpnbppt@webmail.bppt.go.id]:
Please enter the following ‘extra’ attributes
To be sent with your certificate request
A challenge password []: vpnbppt
An optional company name [ ]:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signatures
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’ID’
stateOrProvinceName :PRINTABLE:’JKT’
localityname :PRINTABLE:’Jakarta’
organizationName :PRINTABLE:’BPPT’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’ vpnbppt@webmail.bppt.go.id’
Certificate is to be certified until May 4 03:43:19 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate request certificate requests certified, commit?[y/n]y
Write out database with 1 new entries
DataBase Update
* kosong disebelah ':' berarti langsung enter saja
kemudian jalankan
# ./build-dh
# cp keys/dh1024.pem /etc/openvpn
# cp keys/ca.crt /etc/openvpn
# cp keys/server.crt /etc/openvpn
# cp keys/server.key /etc/openvpn
# cp keys/server.csr /etc/openvpn
# cd /etc/openvpn
dan lakukan
# vi server.conf
note : pastikan telah menjadi IP static
untuk Ubuntu lakukan perintah
# vi /etc/network/interfaces
ganti eth0 menjadi
auto eth0
iface eth0 inet static
address 202.46.240.235
gateway 202.46.240.193
netmask 255.255.255.192
network 202.46.240.192
broadcast 202.46.240.255
kemudian lakukan
# sudo /etc/init.d/networking restart
dengan isian
local 202.46.240.xxx (ipstatic dari server)
port 1194
proto tcp
dev tun
ca /etc/openvpn/ca.crt (alamat file ca.crt)
cert /etc/openvpn/server.crt (alamat file server.crt)
key /etc/openvpn/server.key (alamat file server.key)
dh /etc/openvpn/dh1024.pem (alamat file dh1024.pem)
client-to-client
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
cipher BF-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
server siap dijalankan dengan perintah
# service openvpn start
# openvpn --config /etc/openvpn/server.conf
untuk mengecek, lakukan perintah
# ifconfig
jika sudah terdapat tunnel maka tugas telah selesai
Untuk client
# cd /usr/local/src
#wget http://www.oberhumer.com/opersource/lzo/download/lzo-2.02.tar.gz
atau bisa langsung mengunjungi website tersebut dan mendownload lzo-2.02.tar.gz dan dimasukkan ke folder /usr/local/src
untuk yang belum ada gcc atau gcc-c++
harap menginstallnya dengan
# apt-get install gcc
# apt-get install gcc-c++
kemudian install lzo dengan cara
# tar zxvf lzo-2.02.tar.gz
# cd lzo-2.02
# cd ./configure
# make
# make check
# make test
# make install
kemudian install Openvpn dengan cara
# cd /usr//local/src
# wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
atau bisa langsung mengunjungi website tersebut dan mendownload openvpn-2.0.9.tar.gz dan dimasukkan ke folder /usr/local/src
# tar zxvf openvpn-2.0.9.tar.gz
# cd openvpn-2.0.9
# ./configure
biasaanya ada eror dsini... ikuti perintah ini : #apt-get install libssl-dev
# make
# make install
kemudian copy file ca.crt, client*.crt, client*.csr, client*.key dari komputer server dan masukkan ke folder /etc/openvpn
* berarti nomor client tersebut, dan harus sama untuk csr, crt dan key
kemudian lakukan
# vi /etc/openvpn/client.conf
isinya adalah
client
proto tcp
dev tun
remote 202.46.240.xxx (ip static dari server)
resolv-retry infinite
nobind
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client*.crt
key /etc/openvpn/client*.key
comp-lzo
cipher BF-CBC
persist-key
persist-tun
verb 3
* nomor file yang dimasukkan ke folder /etc/openvpn/
kemudian jalankan
# service openvpn start
# openvpn --config /etc/openvpn/client.conf
setelah itu cek dengan
# ifconfig
jika telah ada tunnel maka tugas selesai, dan dapat saling berkirim data.
Catatan,
ketika melakukan perintah # openvpn --config /etc/openvpn/client.conf pastikan tanggal dan waktu antara server dan client sama, jika tidak, maka tidak dapat dilakukan tunneling.
Note : apabila known_hosts bermasalah lakukan
# ssh-keygen -R hostname (hostname yang bermasalah)
Komentar